users: refactor password reset flow.
The old password reset flow: * User requests a password reset. * Danbooru generates a password reset nonce. * Danbooru emails user a password reset confirmation link. * User follows link to password reset confirmation page. * The link contains a nonce authenticating the user. * User confirms password reset. * Danbooru resets user's password to a random string. * Danbooru emails user their new password in plaintext. The new password reset flow: * User requests a password reset. * Danbooru emails user a password reset link. * User follows link to password edit page. * The link contains a signed_user_id param authenticating the user. * User changes their own password.
This commit is contained in:
evazion
@@ -16,6 +16,8 @@ class SessionLoader
|
||||
|
||||
if has_api_authentication?
|
||||
load_session_for_api
|
||||
elsif params[:signed_user_id]
|
||||
load_param_user(params[:signed_user_id])
|
||||
elsif session[:user_id]
|
||||
load_session_user
|
||||
elsif cookie_password_hash_valid?
|
||||
@@ -79,6 +81,11 @@ class SessionLoader
|
||||
end
|
||||
end
|
||||
|
||||
def load_param_user(signed_user_id)
|
||||
session[:user_id] = Danbooru::MessageVerifier.new(:login).verify(signed_user_id)
|
||||
load_session_user
|
||||
end
|
||||
|
||||
def load_session_user
|
||||
user = User.find_by_id(session[:user_id])
|
||||
CurrentUser.user = user if user
|
||||
|
||||
Reference in New Issue
Block a user